Caputo's blog

Informatica, tecnologia, programmazione, fai da te, papercraft e papertoy

25 errori di sicurezza durante lo sviluppo

Febbraio 18th, 2010 by Giovanni Caputo

CWE

Sul sito di CWE sono stati elencati i 25 errori più comuni e pericolosi che vengono effettutati durante lo sviluppo di un’applicazione, rendendola poco sicura.

Potrete scaricare il fie: pdf

Rank Score ID Name
[1] 346 CWE-79 Failure to Preserve Web Page Structure (‘Cross-site Scripting’)
[2] 330 CWE-89 Improper Sanitization of Special Elements used in an SQL Command (‘SQL Injection’)
[3] 273 CWE-120 Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)
[4] 261 CWE-352 Cross-Site Request Forgery (CSRF)
[5] 219 CWE-285 Improper Access Control (Authorization)
[6] 202 CWE-807 Reliance on Untrusted Inputs in a Security Decision
[7] 197 CWE-22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
[8] 194 CWE-434 Unrestricted Upload of File with Dangerous Type
[9] 188 CWE-78 Improper Sanitization of Special Elements used in an OS Command (‘OS Command Injection’)
[10] 188 CWE-311 Missing Encryption of Sensitive Data
[11] 176 CWE-798 Use of Hard-coded Credentials
[12] 158 CWE-805 Buffer Access with Incorrect Length Value
[13] 157 CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP File Inclusion’)
[14] 156 CWE-129 Improper Validation of Array Index
[15] 155 CWE-754 Improper Check for Unusual or Exceptional Conditions
[16] 154 CWE-209 Information Exposure Through an Error Message
[17] 154 CWE-190 Integer Overflow or Wraparound
[18] 153 CWE-131 Incorrect Calculation of Buffer Size
[19] 147 CWE-306 Missing Authentication for Critical Function
[20] 146 CWE-494 Download of Code Without Integrity Check
[21] 145 CWE-732 Incorrect Permission Assignment for Critical Resource
[22] 145 CWE-770 Allocation of Resources Without Limits or Throttling
[23] 142 CWE-601 URL Redirection to Untrusted Site (‘Open Redirect’)
[24] 141 CWE-327 Use of a Broken or Risky Cryptographic Algorithm
[25] 138 CWE-362 Race Condition

Category: Programmazione, Siti Web, Tecnologia | No Comments »

KeePass Password Safe: password manager gratuito

Marzo 1st, 2009 by Giovanni Caputo

Main Window Screenshot

Nei nostri giorni abbiamo necessità di ricordare molte password; dal login di windows, al proprio account mail, inoltre  bisogna ricordare le credenziali per accedere allo spazio FTP del proprio sito oppure quelle per accedere ai tantissimi siti online che ormai obbligano alla registrazione.  Spesso si usano password differenti su ogni account, questo per non permettere a chiunque abbia scoperto la password, di accedere a tutti gli account.

Volevo quindi proprorivi un passord manger opensource, e quindi completamente sicuro ke aiuta a getire le proprie password in modo sicuro.

Permette di inserire tutte le password in un database che è bloccato da un unica password master. Il database è criptato con i più sicuri algoritmi attualemtne conosciuti (AES and Twofish).

keepass

Category: Open Source, programmi | 1 Comment »

Owasp: libri gratis sulla sicurazze nelle Web Application

Febbraio 24th, 2009 by Giovanni Caputo

Dopo aver partecipato all’OWASP day 3 tenutosi a Bari presso il dipartimento di informatica, volevo segnalare alcuni libri che spiegano come realizzare applicazioni web sicure.

OWASP Development Guide 2.0 Downloads

Inglese:

Altri libri

OWASP CLASP v1.2

OWASP CLASP v1.2OWASP CLASP v1.2 (libro)

Stampa: €13.52

Scarica: FREE

Fai il download di OWASP_CLASP_v1.2_for_print_LULU.pdf Fai il download gratuitamente
OWASP Top10 - Testing - Legal 07

OWASP Top10 – Testing – Legal 07OWASP Top10 – Testing – Legal 07 (libro)

Stampa: €11.67

Scarica: FREE

This book contains 3 separate documents created by OWASP’s community: The OWASP Top 10 2007, The OWASP Testing Guide v2.0 and The OWASP Secure Software Contract Annex.

Fai il download di OWASP_LULU.pdf Fai il download gratuitamente
OWASP APPSENSOR

OWASP APPSENSOROWASP APPSENSOR (libro)

Stampa: €4.93

Scarica: FREE

The AppSensor document is a conceptual framework that offers prescriptive guidance to implement intrusion detection capabilities into existing application utilizing standard security controls and recommendations for automated response policies based upon detected behaviour. When using AppSensor, an application will be able to identify malicious users within the application and eliminate the threat by taking response action such as logging out the user, locking the account or notifying an administrator. An attacker often requires numerous probes and attack attempts in order to locate an exploitable vulnerability within the application. By using AppSensor it is possible to identify and eliminate the threat of an attacker before they are able to successfully identify an exploitable flaw. For more information please check the OWASP Foundation’s website – OWASP AppSensor Project.

Fai il download di 5984542.pdf Fai il download gratuitamente
OWASP Ruby on Rails Security Guide

OWASP Ruby on Rails Security GuideOWASP Ruby on Rails Security Guide (libro)

Stampa: €5.00

Scarica: FREE

The last security guide for Rails was a great success, with a lot of more secure web applications and continued awareness in the community of security issues. The Ruby on Rails Security Project is the one and only source of information about Rails security topics, and I keep the community up-to-date with blog posts and conference talks in Europe. The Guide and the Project has been mentioned in several Rails books and web-sites. A lot has changed since the publishing of the first Guide. Some new security holes have been found, there are new advises and most importantly Rails version 2.0 has been released. The new Ruby on Rails Security Guide aims at providing an up-to-date coding and configuration guide for the Rails community. For more information please check the OWASP Foundation’s website – OWASP Ruby on Rails Security Guide V2.

Fai il download di 5811294.pdf Fai il download gratuitamente
OWASP Backend Security

OWASP Backend SecurityOWASP Backend Security (libro)

Stampa: €7.74

Scarica: FREE

This project aims to improve and to collect the existent information about the backend security. The project is composed by three sections (security development, security hardening and security testing). The aim is to define the guidelines for the companies and IT professionals working in the security field into processes development and back-end components management/testing in the enterprise architecture. For more information please check the OWASP Foundation’s website – OWASP Backend Security Project.

Fai il download di 5808965.pdf Fai il download gratuitamente
OWASP Testing Guide

OWASP Testing GuideOWASP Testing Guide (libro)

Stampa: €10.97

Scarica: FREE

The OWASP Testing Guide (2009 Version 3.0) includes a “best practice” penetration testing framework which users can implement in their own organizations and a “low level” penetration testing guide that describes techniques for testing most common web application and web service security issues. OWASP Testing Guide v3 is a 349 page book; we have split the set of active tests in 9 sub-categories for a total of 66 controls to test during the Web Application Testing activity. For more information please check the OWASP Foundation’s website – OWASP Testing Guide V3.0 Project.

Fai il download di 5691953.pdf Fai il download gratuitamente
OWASP Code Review

OWASP Code ReviewOWASP Code Review (libro)

Stampa: €8.37

Scarica: FREE

The Code Review Guide is currently at release version 1.1 and the second best selling OWASP book in 2008. Many positive comments have been feedback regarding this initial version and believe it’s a key enabler for the OWASP fight against software insecurity. It has even inspired individuals to build tools based on its information. The combination of a book on secure code review and tools to support such an activity is very powerful as it gives the developer community a place to start regarding secure application development. Going forward I hope to further integrate with the ASVS and other guides such as the testing and ASDR guides shall be perfromed for version 2.0. For more information please check the OWASP Foundation’s website – OWASP Code Review Guide V1.1.

Fai il download di 5678680.pdf Fai il download gratuitamente
Securing WebGoat using ModSecurity

Securing WebGoat using ModSecuritySecuring WebGoat using ModSecurity (libro)

Stampa: €6.45

Scarica: FREE

The purpose of this project is to create custom Modsecurity rulesets that, in addition to the Core Set, will protect WebGoat 5.1 from as many of its vulnerabilities as possible (the goal is 90%) without changing one line of source code. To ensure that it will be a complete ‘no touch’ on WebGoat and its environment, ModSecurity will be configured on Apache server as a remote proxy server. For those vulnerabilities that cannot be prevented (partially or not at all), I will document my efforts in attempting to protect them. Business logic vulnerabilities will be particularly challenging to solve. For more information please check the OWASP Foundation’s website – OWASP Securing WebGoat using ModSecurity Project.

Fai il download di 5082126.pdf Fai il download gratuitamente
OWASP Application Security Verification Standard

OWASP Application Security Verification StandardOWASP Application Security Verification Standard (libro)

Stampa: €5.76

Scarica: FREE

The primary aim of the OWASP Application Security Verification Standard (ASVS) Project is to normalize the range in the coverage and level of rigor available in the market when it comes to performing application security verification using a commercially-workable open standard. This standard can be used to establish a level of confidence in the security of web applications and web services. For more information please check the OWASP Foundation’s website – OWASP Application Security Verification Standard (ASVS) Project.

Fai il download di 4576962.pdf Fai il download gratuitamente
OWASP Top10 2007  Portuguese (Release)

OWASP Top10 2007 Portuguese (Release)OWASP Top10 2007 Portuguese (Release) (libro)

Stampa: €4.89

Scarica: FREE

Fai il download di 3446109.pdf Fai il download gratuitamente
OWASP ASDR Application Security Desk Reference - SoC2008 (Alpha)

OWASP ASDR Application Security Desk Reference – SoC2008 (Alpha)OWASP ASDR Application Security Desk Reference – SoC2008 (Alpha) (libro)

Stampa: €15.15

Scarica: FREE

This project is helpful as basic reference material when performing such activities as threat modeling, security architecture review, security testing, code review, and metrics. We intend to encourage understanding and consistency when discussing these basic foundational elements of application security. Security only works if people can make informed decisions about risk. The ASDR provides that basic information to help ensure all stakeholders are involved. For more information please check the OWASP Foundation’s website – OWASP Application Security Desk Reference (ASDR) Project.

Fai il download di ASDR-draftv0.9.pdf Fai il download gratuitamente
OWASP WebGoat and WebScarab

OWASP WebGoat and WebScarabOWASP WebGoat and WebScarab (libro)

Stampa: €3.93

Scarica: FREE

Fai il download di OWASP_WebGoat_and_WebScarab_for_print.pdf Fai il download gratuitamente
OWASP Code Review - 2008 (RC2)

OWASP Code Review – 2008 (RC2)OWASP Code Review – 2008 (RC2) (libro)

Stampa: €6.77

Scarica: FREE

Fai il download di OWASP_Code_Review_2007__RC2_-_Version_for_print.pdf Fai il download gratuitamente
OWASP Evaluation And Certification Criteria

OWASP Evaluation And Certification CriteriaOWASP Evaluation And Certification Criteria (libro)

Stampa: €2.47

Scarica: FREE

Fai il download di OWASP_Evaluation_and_Certification_Criteria.pdf Fai il download gratuitamente
OWASP Top 10 - Ruby on Rails version

OWASP Top 10 – Ruby on Rails versionOWASP Top 10 – Ruby on Rails version (libro)

Stampa: €3.12

Scarica: FREE

Fai il download di Owasp-rails-security.pdf Fai il download gratuitamente
OWASP SpoC 2007

OWASP SpoC 2007OWASP SpoC 2007 (libro)

Stampa: €6.85

Scarica: FREE

Fai il download di OWASP_SpoC_2007_for_print.pdf Fai il download gratuitamente
OWASP World (Nov 2007)

OWASP World (Nov 2007)OWASP World (Nov 2007) (libro)

Stampa: €6.63

Scarica: FREE

Fai il download di OWASP_World_Book_for_print.pdf Fai il download gratuitamente

Category: Programmazione, Siti Web | No Comments »

Nuovo virus su Msn: Questa è la tua foto? http://youtube.my3gb.com/index.php?= tuocontatto@hotmail.it

Giugno 3rd, 2008 by Giovanni Caputo

Nuovo attacco da un nuovo malware che ora risulta del tutto sconosciuto ma che sta incominciando a infettare una marea di computer. Attraverso  Windows live messenger Il nuovo malware invia un link con scritto:

Questa è la tua foto? http://youtube.my3gb.com/index.php?= tuocontatto@hotmail.it

Sono stati infettati numerosi utenti di windows live messenger, molto probabilmente perchè il link che il malware invia ai vostri contatti a prima vista può sembrare molto simile al famosissimo sito di video sharing Youtube.com.
In ogni caso appena possibile pubblicherò la guida per rimuovere il virus.
Read the rest of this entry »

Category: Antivirus, Novità | 2 Comments »

Modificare la variabile referrer di Firefox con RefControl

Maggio 23rd, 2008 by Giovanni Caputo

A volte potrebbe essere utile impedire a Firefox di comunicare al sito che si sta visitando la propria provenienza, utilizzata molto spesso dai portali per avere delle statistiche sugli accessi e/o offrire contenuti differenti in basi alla provenienza del lettore.

L’add-on RefControl permette di configurare il browser in maniera diversa per ogni sito, mascherando o alterando l’indirizzo di provenienza.

Read the rest of this entry »

Category: Curiosità, programmi | No Comments »

Evitiamo di fornire il nostro indirizzo email su chat o forum con Saytome

Maggio 9th, 2008 by Giovanni Caputo

SaytoMe è un nuovo servizio web 2.0 che permette di creare con estrema facilità un form di contatto pubblico.

Saytome si rivela particolarmente utile se non vogliamo fornire il nostro indirizzo email, ad esempio nei forum oppure mentre chattiamo.

Per utilizzare questo servizio non occorre alcuna registrazione, basta inserire soltanto il nostro nome e la nostra mail e Saytome creerà una url statica univoca.

Infine basta incollarla sulla finestra di conversazione, per ricevere i messaggi direttamente sulla casella email che abbiamo fornito al momento della creazione.

Read the rest of this entry »

Category: Siti Web | No Comments »